I have added restricted groups to my Desktops OU and this adds the "Local Admins" security group to the Local Administrators group on workstations in that OU. The issue is, that after this GPO is applied, regular user accounts can RDP "INTO THE DOMAIN CONTROLLER" I have confirmed that this is the offending GPO and there are no other settings in this GPO; it's only purpose is to apply that one restricted group.
The group does get applied to the workstations and does work as expected except for this one issue. Even a gpresult /z doesn't mention that GPO anywhere when ran on the DC but does on the workstations.
The "Desktops" OU contains the "Local Admins" GPO. The Domain controller is in the "Domain COntrollers" OU.
"gpresult /scope computer /r" of Workstation:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2016 Microsoft Corporation. All rights reserved.
Created on 04/30/2016 at 1:29:28 PM
RSOP data for DOMAIN\John.Doe on WORKSTATION : Logging Mode
-----------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.10586
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\John.Doe
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WORKSTATION,OU=Mobile-Devices,DC=DOMAIN,DC=info
Last time Group Policy was applied: 04/30/2016 at 12:07:55 PM
Group Policy was applied from: DOMAINCONTROLLER.DOMAIN.info
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAIN
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Computer GPO
Local Admin GPO
Remote Management
PSTools
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
WORKSTATION$
Domain Computers
Authentication authority asserted identity
System Mandatory Level
"gpresult /scope computer /r" of DC:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2012 Microsoft Corporation. All rights reserved.
Created on 4/30/2016 at 1:22:52 PM
RSOP data for DOMAIN\John.Doe on DOMAINCONTROLLER : Logging Mode
----------------------------------------------------------------
OS Configuration: Primary Domain Controller
OS Version: 6.2.9200
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\John.Doe
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=DOMAINCONTROLLER,OU=Domain Controllers,DC=DOMAIN,DC=info
Last time Group Policy was applied: 4/30/2016 at 1:20:57 PM
Group Policy was applied from: DOMAINCONTROLLER.DOMAIN.info
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAIN
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Default Domain Controllers Policy
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
Certificate Service DCOM Access
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
DOMAINCONTROLLER$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
Denied RODC Password Replication Group
RAS and IAS Servers
Cert Publishers
System Mandatory Level
Best Answer
In your restricted group settings shown that Local admins group is member of "Administrators" group which is domain group. If you want them to be member of local administrator group, you need to configure "This group member of" setting to "BUILTIN\Administrators"